@contrast/assess 1.66.0 → 1.67.0

package/lib/dataflow/propagation/index.js

@@ -34,7 +34,6 @@ module.exports = function(core) {
   require('./install/encode-uri')(core);
   require('./install/escape-html')(core);
   require('./install/escape')(core);
-  require('./install/fastify-send')(core);
   require('./install/handlebars-utils-escape-expression')(core);
   require('./install/isnumeric-0')(core);
   require('./install/mustache-escape')(core);
@@ -48,7 +47,6 @@ module.exports = function(core) {
   require('./install/path')(core);
   require('./install/reg-exp-prototype-exec')(core);
   require('./install/joi')(core);
-  require('./install/send')(core);
   require('./install/util-format')(core);
 
   propagation.install = function() {

package/lib/response-scanning/handlers/index.js

@@ -17,9 +17,9 @@
 
 const {
   primordials: {
+    StringPrototypeSubstring,
     StringPrototypeToLowerCase,
     JSONStringify,
-    StringPrototypeSubstring,
   },
   ResponseScanningRule,
 } = require('@contrast/common');
@@ -261,7 +261,7 @@ module.exports = function(core) {
     });
   };
 
-  responseScanning.handleXPoweredByHeader = function(sourceContext, resHeaders) {
+  responseScanning.handleXPoweredByHeader = function (sourceContext, resHeaders) {
     if (!sourceContext.policy?.isRuleEnabled(X_POWERED_BY_HEADER)) return;
 
     const headerName = 'x-powered-by';
@@ -269,11 +269,13 @@ module.exports = function(core) {
 
     if (header) {
       header = StringPrototypeToLowerCase.call(header);
-
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.X_POWERED_BY_HEADER,
         vulnerabilityMetadata: {
-          platform: header,
+          snippet: header,
+          // the UI vuln title will read: X-Powered-By Header Enabled in Route
+          //                                                             ^^^^^
+          path: 'Route',
         }
       });
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.66.0",
+  "version": "1.67.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,18 +20,18 @@
     "test": "bash ../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.38.0",
-    "@contrast/config": "1.54.1",
-    "@contrast/core": "1.59.1",
-    "@contrast/dep-hooks": "1.28.1",
+    "@contrast/common": "1.39.0",
+    "@contrast/config": "1.55.0",
+    "@contrast/core": "1.60.0",
+    "@contrast/dep-hooks": "1.29.0",
     "@contrast/distringuish": "^6.0.2",
-    "@contrast/instrumentation": "1.38.1",
-    "@contrast/logger": "1.32.1",
-    "@contrast/patcher": "1.31.1",
-    "@contrast/rewriter": "1.36.1",
-    "@contrast/route-coverage": "1.52.0",
-    "@contrast/scopes": "1.29.1",
-    "@contrast/sources": "1.5.1",
+    "@contrast/instrumentation": "1.39.0",
+    "@contrast/logger": "1.33.0",
+    "@contrast/patcher": "1.32.0",
+    "@contrast/rewriter": "1.37.0",
+    "@contrast/route-coverage": "1.53.0",
+    "@contrast/scopes": "1.30.0",
+    "@contrast/sources": "1.6.0",
     "semver": "^7.6.0"
   }
 }

package/lib/dataflow/propagation/install/fastify-send.js

@@ -1,60 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-'use strict';
-
-const { primordials: { StringPrototypeSlice } } = require('@contrast/common');
-const { patchType } = require('../common');
-
-module.exports = function (core) {
-  const {
-    depHooks,
-    patcher,
-  } = core;
-
-  return core.assess.dataflow.propagation.fastifySend = {
-    install() {
-      depHooks.resolve({ name: '@fastify/send', version: '<3', file: 'lib/SendStream.js' }, (SendStream) => {
-        patcher.patch(SendStream.prototype, 'sendFile', {
-          name: '@fastify/send/lib/SendStream.js',
-          patchType,
-          usePerf: 'sync',
-          pre(data) {
-            const { args } = data;
-            // (†) This is a minimal propagator that just untracks the argument. There are
-            // no propagation events generated and no expensive tag range computations. We
-            // don't get the propagator context before proceeding since it could lead to false
-            // positives e.g. if the number of propagation events exceeds the configured limit.
-            const untrackedPath = StringPrototypeSlice.call(` ${args[0]}`, 1);
-            args[0] = untrackedPath;
-          },
-        });
-      });
-
-      depHooks.resolve({ name: '@fastify/send', version: '>=3 <5', file: 'lib/send.js' }, (send) => {
-        patcher.patch(send, 'send', {
-          name: '@fastify/send/lib/send.js',
-          patchType,
-          usePerf: 'sync',
-          pre(data) {
-            const { args } = data;
-            // (†)
-            const untrackedPath = StringPrototypeSlice.call(` ${args[1]}`, 1);
-            args[1] = untrackedPath;
-          },
-        });
-      });
-    }
-  };
-};

package/lib/dataflow/propagation/install/send.js

@@ -1,57 +0,0 @@
-/*
- * Copyright: 2025 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-'use strict';
-
-const { patchType } = require('../common');
-const { primordials: { StringPrototypeSlice } } = require('@contrast/common');
-
-module.exports = function (core) {
-  const {
-    depHooks,
-    patcher,
-  } = core;
-
-  const send = {};
-  core.assess.dataflow.propagation.send = send;
-
-  function patchSendModule(sendModuleExport) {
-    return patcher.patch(sendModuleExport, {
-      name: 'send',
-      patchType,
-      usePerf: 'sync',
-      post(data) {
-        patcher.patch(data.result, 'sendFile', {
-          name: 'send.sendFile',
-          patchType,
-          pre(data) {
-            const { args } = data;
-            // This is a minimal propagator that just untracks the argument. There are
-            // no propagation events generated and no expensive tag range computations. We
-            // don't get the propagator context before proceeding since it could lead to false
-            // positives e.g. if the number of propagation events exceeds the configured limit.
-            const untrackedPath = StringPrototypeSlice.call(` ${args[0]}`, 1);
-            args[0] = untrackedPath;
-          },
-        });
-      },
-    });
-  }
-
-  send.install = function () {
-    depHooks.resolve({ name: 'send', version: '<2' }, patchSendModule);
-  };
-
-  return send;
-};